This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.5.7 Threat intelligence.
ISO 27001: 2022 Control Description
Information relating to information security threats shall be collected and analysed to produce threat intelligence.
Purpose
To understand the organisation’s threat environment and take the right actions to protect against threats.
Guidance on Implementation
Collect and analyse information about current or new threats to:
a) Take informed actions to prevent threats from harming the organisation;
b) Reduce the impact of threats.
Threat intelligence includes three layers:
a) Strategic Threat Intelligence: High-level information about the changing threat landscape, such as types of attackers and attacks.
b) Tactical Threat Intelligence: Details on attacker methods, tools, and technologies.
c) Operational Threat Intelligence: Specific information about attacks, including technical indicators.
Good threat intelligence should be:
a) Relevant: Directly related to protecting the organisation.
b) Insightful: Providing a clear and detailed understanding of the threat landscape.
c) Contextual: Adding context based on the timing, location, past experiences, and how common the threats are in similar organisations.
d) Actionable: Information that the organisation can act on quickly and effectively.
Threat Intelligence Activities
To effectively use threat intelligence, the organisation should:
a) Set clear goals for what the threat intelligence should achieve;
b) Identify and select internal and external sources of information;
c) Collect information from these sources;
d) Process the information to prepare it for analysis (e.g., translate, format, corroborate);
e) Analyse the information to understand its relevance and meaning to the organisation;
f) Share the analysed information with relevant individuals in a clear and understandable format.
Using Threat Intelligence
The organisation should use the analysed threat intelligence by:
a) Including it in the organisation’s information security risk management processes;
b) Providing input to technical controls like firewalls, intrusion detection systems, or anti-malware solutions;
c) Using it in information security testing processes and techniques.
The organisation should also share threat intelligence with other organisations to enhance overall security.
Other Information
Organisations can use threat intelligence to prevent, detect, or respond to threats. While organisations can produce their own threat intelligence, they usually rely on information from external sources such as independent providers, advisers, government agencies, or collaborative groups.
The quality of threat intelligence affects the effectiveness of security controls.